ABSTRACT
Currently, many organizations make use of the personal data of their users. Personal data is the set of information that can lead to the identification of a specific person and, therefore, this information is generally vital for the operations and business continuity of organizations. Consequently, the relevance of adopting methodologies that guarantee the protection and privacy of user information is indispensable to prevent the leaking of sensible information. Therefore, laws were created to establish essential requirements for organizations to provide support and protection to the personal data of users, such as the General European Data Protection Regulation (GDPR) and the Brazilian General Data Protection Law (LGPD). This work aims to develop a framework to support ICT professionals in adapting companies to the requirements demanded by the LGPD. To achieve the purpose, a framework based on the BEST methodology (Business Engaged Security Transformation) was proposed. This framework has a sustainable approach and can be implemented by any organization. A survey was carried out to collect the perception of Information and Communication Technology (ICT) practitioners in relation to adherence to LGPD adaptation actions by organizations. As a result, we identified a weakness in the privacy and information security management methodology implemented in organizations, which, in the future, may result in risks and damage to user information.
- Robert K. Abercrombie, Frederick T. Sheldon, Katie R. Hauser, Margaret W. Lantz, and Ali Mili. 2013. Risk Assessment Methodology Based on the NISTIR 7628 Guidelines. In HICSS. IEEE Computer Society, 1802--1811. Google ScholarDigital Library
- Eric Araújo, Jéssyka Vilela, Carla Silva, and Carina Alves. 2021. Are My Business Process Models Compliant With LGPD? The LGPD4BP Method to Evaluate and to Model LGPD aware Business Processes. In SBSI. ACM, 46:1--46:9. Google ScholarDigital Library
- Baptista Luz Advogados. 2019. Comparing privacy laws: GDPR v. LGPD. Retrieved October 16, 2021, from https://baptistaluz.com.br/institucional/comparing-privacy-laws-gdpr-v-lgpd/.Google Scholar
- Luca Bolognini and Camilla Bistolfi. 2017. Pseudonymization and impacts of Big (personal/anonymous) Data processing in the transition from the Directive 95/46/EC to the new EU General Data Protection Regulation. Computer Law & Security Review 33, 2 (2017), 171--181.Google ScholarCross Ref
- Brazil. 2018. Law n° 13.709/2018. Retrieved October 16, 2021, from http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709compilado.htm.Google Scholar
- Fei Bu, Nengmin Wang, Bin Jiang, and Huigang Liang. 2020. "Privacy by Design" implementation: Information system engineers' perspective. International Journal of Information Management 53 (2020), 102124. Google ScholarCross Ref
- Luiz Carvalho, Jonice Oliveira, Claudia Cappelli, and Violeta Majer. 2019. Desafios de Transparência pela Lei Geral de Proteção de Dados Pessoais. In Anais do VII Workshop de Transparência em Sistemas. SBC, Porto Alegre, RS, Brasil, 21--30. Google ScholarCross Ref
- Luiz Paulo Carvalho, Jonice Oliveira, and Claudia Cappelli. 2020. Pesquisas em Análise de Redes Sociais e LGPD, análises e recomendações. In Anais do IX Brazilian Workshop on Social Network Analysis and Mining. SBC, Porto Alegre, RS, Brasil, 73--84. Google ScholarCross Ref
- Luis Castro Silva and Samyr Vale. 2021. A Methodology for Network Security Infrastructure according to the New Brazilian General Law for Personal Data Protection. International Journal of Computer Applications 183 (07 2021), 1--8. Google ScholarCross Ref
- Kevin EWB Cattley. 2020. LGPD: a comparative analysis of a new law in shifting paradigms. Bachelor's Thesis. Fundação Getúlio Vargas (FGV).Google Scholar
- Ann Cavoukian et al. 2009. Privacy by design: The 7 foundational principles. Information and privacy commissioner of Ontario, Canada 5 (2009), 12.Google Scholar
- Vasiliki Diamantopoulou, Aggeliki Tsohou, and Maria Karyda. 2019. General Data Protection Regulation and ISO/IEC 27001:2013: Synergies of Activities Towards Organisations' Compliance. In Trust, Privacy and Security in Digital Business, Stefanos Gritzalis, Edgar R. Weippl, Sokratis K. Katsikas, Gabriele Anderst-Kotsis, A Min Tjoa, and Ismail Khalil (Eds.). Springer International Publishing, Cham, 94--109.Google Scholar
- Edna Dias Canedo, Angelica Toffano Seidel Calazans, Eloisa Toffano Seidel Masson, Pedro Henrique Teixeira Costa, and Fernanda Lima. 2020. Perceptions of ICT practitioners regarding software privacy. Entropy 22, 4 (2020), 429.Google ScholarCross Ref
- Abigayle Erickson. 2018. Comparative Analysis of the EU's GDPR and Brazil's LGPD: Enforcement Challenges with the LGPD. Brook. J. Int'l L. 44 (2018), 859.Google Scholar
- Tatiana Ermakova, Annika Baumann, Benjamin Fabian, and Hanna Krasnova. 2014. Privacy policies and users' trust: does readability matter?. In Proceedings of the Twentieth Americas Conference on Information Systems. Association for Information Systems, Savannah, 12.Google Scholar
- Sâmmara Éllen Renner Ferrão, Artur Potiguara Carvalho, Edna Dias Canedo, Alana Paula Barbosa Mota, Pedro Henrique Teixeira Costa, and Anderson Jefferson Cerqueira. 2021. Diagnostic of Data Processing by Brazilian Organizations---A Low Compliance Issue. Information 12, 4 (2021), 168.Google ScholarCross Ref
- International Organization for Standardization. 2013. Information technology --- Security techniques --- Information security management systems --- Requirements . Standard. International Organization for Standardization, Geneva, CH.Google Scholar
- Gislaine Parra Freund, Priscila Basto Fagundes, and Douglas Dyllon Jeronimo de Macedo. 2020. Identification of the Relationships Between the Stages of the Data Lifecycle and the Principles of the Brazilian General Data Protection Act. In Data and Information in Online Environments, Rogério Mugnaini (Ed.). Springer International Publishing, Cham, 79--88.Google Scholar
- Lara Rocha Garcia, Edson Aguilera-Fernandes, Rafael Augusto Moreno Gonçalves, and Marcos Ribeiro Pereira-Barretto. 2020. Lei Geral de Proteção de Dados Pessoais (LGPD): guia de implantação. Edgard Blücher Ltda, São Paulo.Google Scholar
- Michelle Goddard. 2017. The EU General Data Protection Regulation (GDPR): European regulation that has a global impact. International Journal of Market Research 59, 6 (2017), 703--705.Google ScholarCross Ref
- Johannes Heurix and Thomas Neubauer. 2011. Privacy-Preserving Storage and Access of Medical Data through Pseudonymization and Encryption. In Trust, Privacy and Security in Digital Business, Steven Furnell, Costas Lambrinoudakis, and Günther Pernul (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 186--197.Google Scholar
- Christian Kurtz, Martin Semmann, and Tilo Böhmann. 2018. Privacy by Design to Comply with GDPR: A Review on Third-Party Data Processors. In Proceedings of the Twenty-fourth Americas Conference on Information Systems. Association for Information Systems, New Orleans, 10.Google Scholar
- Ronaldo Lemos, Natalia Langenegger, Juliana Pacetta Ruiz, Sofia Lima Franco, Andréa Guimarães Gobbato, Daniel Douek, Ramon Alberto dos Santos, and Rafael A. Ferreira Zanatta. 2020. Brazilian General Data Protection Law (LGPD, English translation). Retrieved October 16, 2021, from https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/.Google Scholar
- Ling Li, Wu He, Li Xu, Ivan Ash, Mohd Anwar, and Xiaohong Yuan. 2019. Investigating the impact of cybersecurity policy awareness on employees' cybersecurity behavior. International Journal of Information Management 45 (2019), 13--24. Google ScholarDigital Library
- Zhanna Malekos, Eugenia Lostri, and James A. Lewis. 2020. The Hidden Costs of Cybercrime. Retrieved October 16, 2021, from https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hidden-costs-of-cybercrime.pdf.Google Scholar
- Antônio Diogo Martins, Patrícia Barros, José Monteiro, and Javam Machado. 2020. LGPD: A Formal Concept Analysis and its Evaluation. In Anais do XXXV Simpósio Brasileiro de Bancos de Dados. SBC, Porto Alegre, RS, Brasil, 259--264. Google ScholarCross Ref
- Antônio Diogo Forte Martins, Patrícia Vieira da Silva Barros, José Maria Monteiro, and Javam de Castro Machado. 2020. LGPD: A Formal Concept Analysis and its Evaluation. In SBBD. SBC, , 259--264. Google ScholarCross Ref
- Ministry of Citizenship. 2021. Princípios da LGPD [LGPD's Principles]. https://www.gov.br/cidadania/pt-br/acesso-a-informacao/lgpd/principios-da-lgpdGoogle Scholar
- Renato Carauta Ribeiro and Edna Dias Canedo. 2020. Using MCDA for Selecting Criteria of LGPD Compliant Personal Data Security. In DG.O. ACM, 175--184. Google ScholarDigital Library
- Alexander Setiawan, Adi Wibowo, and Andrew Hartanto Susilo. 2017. Risk analysis on the development of a business continuity plan. In 2017 4th International Conference on Computer Applications and Information Processing Technology (CAIPT). IEEE, Kuta Bali, Indonesia, 1--4. Google ScholarCross Ref
- Nelli V. Syreyshchikova, Danil Yu. Pimenov, Tadeusz Mikolajczyk, and Liviu Moldovan. 2019. Information Safety Process Development According to ISO 27001 for an Industrial Enterprise. Procedia Manufacturing 32 (2019), 278--285. 12th International Conference Inter-disciplinarity in Engineering, INTER-ENG 2018, 4--5 October 2018, Tirgu Mures, Romania. Google ScholarCross Ref
Index Terms
- Ensuring privacy in the application of the Brazilian general data protection law (LGPD)
Recommendations
Commitment on data privacy towards e-governance: The case of local government units
ICEGOV '19: Proceedings of the 12th International Conference on Theory and Practice of Electronic GovernanceThe proliferation of ICT in the government sector is a crucial tactic in achieving different dimensions of public trust and services, especially that government offices and local government units (LGUs) are gearing toward e-governance as a way to manage ...
An Ontology Capturing the Interdependence of the General Data Protection Regulation (GDPR) and Information Security
CECC 2018: Proceedings of the Central European Cybersecurity Conference 2018High returns for processing personal data and low penalties for privacy violations led to the circumstance that protection of privacy was often not considered a priority. To counter this habit and to harmonize data protection laws throughout the ...
A Holistic Approach for Privacy Protection in E-Government
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and SecurityImproving e-government services by using data more effectively is a major focus globally. It requires Public Administrations to be transparent, accountable and provide trustworthy services that improve citizen confidence. However, despite all the ...
Comments